power gridFlickr/Kool Cats Photography
Jonathan Pollet, founder of Red Tiger Security, is a 17-year veteran of the critical infrastructure industry. As an ‘ethical hacker,’ he consults for some of the world’s largest energy companies, as well as electric utilities, chemical plants, water treatment plants, etc. to help them better defend against cyber attacks.
There’s been a lot of discussion lately about the risks posed by hackers to America’s critical infrastructure systems, with terms like “cyber-Pearl Harbor” and “cyber-9/11” being bandied about by government officials and other prominent figures.
Invariably, one of the worst scenarios often depicted by these cyberwar predictions is an attack on the US power grid that would cause a widespread blackout.
In his testimony before the House Intelligence Committee on November 20th, NSA Director Adm. Michael Rogers went into some detail on those risks:
House Intelligence Committee Chairman Mike Rogers: “It was determined that malware was on those (critical infrastructure) systems. Can you be a little more definitive about what does that mean? If I’m on that system and I want to do some harm, what does that do … ? Do the lights go out? Do we stop pumping water? What does that really mean? And the fact that it was there, does that mean they already have the capability to ‘flip the switch’ if they wanted to?”
Admiral Michael Rogers: “Well let me address the last part first. There shouldn’t be any doubt in our minds that there are nation-states and groups out there that have the capability to do that. To enter our systems, to enter those industrial control systems, and to shut down, forestall our ability to operate, our basic infrastructure. Whether it’s generating power across this nation, whether it’s moving water and fuel … Once you’re into the system and you’re able to do that, it enables you to do things like, if I want to tell power turbines to go offline and stop generating power, you can do that. If I wanted to segment the transmission system so that you couldn’t distribute the power that was coming out of the power stations, this would enable you to do that. It enables you to shut down very segmented, very tailored parts of our infrastructure.”
A number of media outlets interpreted these comments as a claim by the NSA that a country like China could take down our nation’s power grid. But is that what the NSA director really said? And is a widespread, national blackout caused by hackers a realistic scenario?
While it’s easy to draw that conclusion from the generalized nature of Adm. Rogers’ responses, it’s important to re-read the last line in that exchange: “It enables you to shut down very segmented, very tailored parts of our infrastructure.” (Emphasis added.)
This line is important because it clarifies the types of risks we’re actually talking about when it comes to the electric grid. No, hackers can’t take down the entire, or even a widespread portion of the US electric grid. From a logistical standpoint, this would be far too difficult to realistically pull off - and it’s not what we should be devoting our attention to. What is more realistic is for a cyber attack to cripple an individual utility, causing a blackout or disruption of service at the local level.
The power grid is vulnerable to attack — there’s no question about that. In my own work, testing the security readiness of US and global energy companies and utilities, I regularly find serious vulnerabilities on these networks and I am often called in to deal with compromises that have already taken place — including cyber-espionage activities by state-sponsored groups.
Adm. Rogers testimony is extremely important as it provides a strong authoritative voice to what is an urgent problem facing this country right now: America’s critical infrastructure is vulnerable to attack, it’s a complicated problem to fix it and an attack is eminent. But the notion that a hacker could basically turn off the country’s power with the ‘flip of a switch,’ as Rep. Rogers called it, is more science fiction than reality.
hackerPichi Chuang/ReutersA hacker who wished to remain anonymous works on his computer in Taipei. The island is a common place for Chinese hackers to practice attacks before unleashing them on other countries.
Here’s why:
  • The US energy grid is owned and operated by hundreds of various regional utilities that all use different hardware and software. That means hackers would have to tunnel into hundreds of diverse networks, which would take several years, and then write custom exploits which are unique for each specific environment they’re targeting. For those who would argue that China or Russia have the money, time and capability to do that, try to understand that developing a functional exploit, getting it placed on the exact part of the network that it needs to be on in order to have the desired effect (i.e., specific programmable logic controllers that run the utility’s machinery), then keeping it hidden on that network over a period of months or years while security teams try to hunt it down, and doing all of this at the same time on hundreds of networks is extremely difficult. To put it in perspective, it would be like trying to rob a hundred different banks at the exact same time.
  • However, even if a hacker group was able to pull this off, there is a catch-all that would create yet another hurdle. There are high-voltage DC interconnects at various points that were specifically designed to prevent widespread outages.
By clarifying what we mean when we warn about attacks on the electric grid and other critical infrastructure, I’m not trying to downplay this risk at all. US critical infrastructure networks, which include the electric grid, utilities, oil/gas refineries and pipelines, water treatment plants, transportation networks, etc., are all highly vulnerable to cyber attacks, and this threat should be prioritized at the highest level by the federal government.
In the meantime, the individual asset owners who are the ones technically responsible for securing their networks and facilities need to start taking more aggressive steps immediately to guard against highly sophisticated cyber actors. But the real risk when it comes to the electric grid specifically is of localized disruptions in service — not a widespread outage. It would be extremely difficult for hackers, without an almost superhuman effort, to cause a power outage that stretched across the country.